I wanted to check if anyone was aware of a setting on RedHat box for enabling the PROCTITLE event type for audit logs? Is there any difference between RedHat and CentOS? I have one box running RedHat 7.3 and another running CentOS 7.3, with auditd enabled on both with the same rules. However, only the RedHat box is populating the event type PROCTITLE - the CentOS box does not.

I would like to get the PROCTITLE event type working on my CentOS box as well, if possible, but I cannot find any documentation online about anyone else having this issue and how to resolve.

Post by Joshua AmmonsI have one box running RedHat 7.3 and another running CentOS 7.3, withauditd enabled on both with the same rules. However, only the RedHat box ispopulating the event type PROCTITLE - the CentOS box does not.

You might move that box to Centos 7.4. The proctitle records was a kernelenhancement shipped in RHEL 7.4.

-Steve

Post by Joshua AmmonsI would like to get the PROCTITLE event type working on my CentOS box aswell, if possible, but I cannot find any documentation online about anyoneelse having this issue and how to resolve.Thanks for your time.Joshua Ammons Advanced SIEM Engineer, CybersecurityGlobal Business Services